[RFC] msxml3: Fix crashes due to access to invalid context pointer.
Nikolay Sivov
nsivov at codeweavers.com
Mon Dec 20 02:08:18 CST 2021
On 12/18/21 11:42, Bernhard Übelacker wrote:
> Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=52073
>
> In function xslt_doc_default_loader a pointer of the stack based
> variable "xmlParserInputPtr input" is given to bind_url.
>
> Later in function import_loader_onDataAvailable this pointer appears
> as parameter "void *ctxt" which correctly gets casted to
> "xmlParserInputPtr *input", but in my opinion incorrectly given
> to xmlNewIOInputStream as parameter "xmlParserCtxtPtr ctxt".
>
> In the next call to xmlNewInputStream this xmlParserCtxtPtr is
> used to increment the input_id member.
>
> By accident this input_id member contains the pointer which causes
> in xmlXPathNodeCollectAndTest the segfault.
...
>
> inputbuffer = xmlParserInputBufferCreateIO(import_loader_io_read, import_loader_io_close, buffer,
> XML_CHAR_ENCODING_NONE);
> - *input = xmlNewIOInputStream(ctxt, inputbuffer, XML_CHAR_ENCODING_NONE);
> + *input = xmlNewIOInputStream(NULL, inputbuffer, XML_CHAR_ENCODING_NONE);
> if (!*input)
> xmlFreeParserInputBuffer(inputbuffer);
>
Hi,
thanks, this looks correct. According to libxml2 code, ctxt won't be
useful anyway in this situation, even if we had a correct one.
More information about the wine-devel
mailing list